One problem would be that these unwanted IPs change and you could be blocking the puppet not the puppet-master. 
One system I have been using is to put SSH on an alternative port. When any IP queries port 22, it is added to a blacklist set with a fixed timeout. Everytime that IP visits any port its timeout is reset to the original value. Bit like fail2ban does. By experiment I have found a day in the sinbin is about the right balance. A couple of lines or so of code does it. 
My thinking was nobody has any legit reason for visiting port 22, and if they are up to no good there then they are probably up to no good elsewhere. I added port 23 to the rule as well

On Mon, 11 Nov 2019 at 12:29, Chris Smith via users <users@lists.bitfolk.com> wrote:

On 11 Nov 2019, at 12:01, Conrad Wood <cnw@conradwood.net> wrote:

On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:

It occurs to me though that these mechanisms would be an obvious
vector for a DOS attack, by maliciously blacklisting harmless IP
blocks.  I don’t know what measures (if any) denyhosts has taken to
prevent that.


I should have mentioned that I do use some community lists too. The
main point though I was attempting to convey was that I would consider
it beneficial if the blocking was done on a router upstream from the
VPS rather on the VPS itself.

Then my point is perhaps even more valid, and also raises questions about unwanted censorship.  How would I opt out if I needed to?  Perhaps I want to analyse such traffic, or use it to test my own protection software.  One man’s scat is another man’s fetish.  This seems to me far too problematic for what little benefit there is.

Chris

Chris Smith <space.dandy@icloud.com>
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users